From 5e242eb94638e5e10aa5491d5094ae381b3cd321 Mon Sep 17 00:00:00 2001
From: Hermes <hermes@lazyworkhorse.net>
Date: Tue, 12 May 2026 14:52:33 -0400
Subject: [PATCH] fix: add iptables-nft to wg-easy for nftables-only kernels

wg-easy's Alpine wg-quick uses legacy iptables which requires the
iptable_nat kernel module. On NixOS kernels compiled without legacy
netfilter modules, the container crashes in a restart loop:

  iptables v1.8.3 (legacy): can't initialize iptables table 'nat'
  Table does not exist (do you need to insmod?)

Fix: build a custom image that installs Alpine's iptables-nft package
and symlinks iptables -> iptables-nft (nftables backend).
---
 vpn/Dockerfile  | 16 ++++++++++++++++
 vpn/compose.yml |  5 ++++-
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 vpn/Dockerfile

diff --git a/vpn/Dockerfile b/vpn/Dockerfile
new file mode 100644
index 0000000..931d3bf
--- /dev/null
+++ b/vpn/Dockerfile
@@ -0,0 +1,16 @@
+# Custom wg-easy with iptables-nft (nftables-backed iptables)
+# Fixes crash-loop when host kernel lacks legacy iptable_nat module.
+FROM weejewel/wg-easy:latest
+
+# Alpine's iptables-nft provides iptables that uses nftables kernel API
+# instead of the legacy iptable_nat module. This works on kernels
+# where only nftables netfilter modules are available.
+RUN apk add --no-cache iptables-nft
+
+# Ensure iptables-nft takes priority over legacy iptables
+RUN ln -sf /sbin/iptables-nft /sbin/iptables && \
+    ln -sf /sbin/iptables-nft-save /sbin/iptables-save && \
+    ln -sf /sbin/iptables-nft-restore /sbin/iptables-restore && \
+    ln -sf /sbin/ip6tables-nft /sbin/ip6tables && \
+    ln -sf /sbin/ip6tables-nft-save /sbin/ip6tables-save && \
+    ln -sf /sbin/ip6tables-nft-restore /sbin/ip6tables-restore
diff --git a/vpn/compose.yml b/vpn/compose.yml
index ceb4f35..22ca77a 100644
--- a/vpn/compose.yml
+++ b/vpn/compose.yml
@@ -2,7 +2,10 @@ version: "3.8"
 
 services:
   wireguard:
-    image: weejewel/wg-easy:latest
+    build:
+      context: ./vpn
+      dockerfile: Dockerfile
+    image: wg-easy-iptables-nft:latest
     container_name: wireguard
     cap_add:
       - NET_ADMIN